The Irish High Court on May 14, 2021, in Facebook Ireland Limited v. Data Protection Commission dismissed a judicial review brought by Facebook Ireland (“Facebook”) on inquiries initiated by the Irish Data Protection Commissioner (“DPC”) earlier in August 2020 regarding Facebook’s international data transfers to the United States. By quashing the judicial review, the Irish High Court has provided leverage to the DPC to require Facebook to cease all data transfers from the European Union to the US.
Background on the Case
In July 2020, the Court of Justice of the European Union (“CJEU”) ruled that the data transfer mechanism between the US and the EU, the privacy shield, did not adhere to EU data protection standards, and rendered it invalid. The CJEU also stated that standard contractual clauses (“SCCs”) alone may also not be sufficient in protecting the personal data of EU citizens, specifically when such data is being transferred to jurisdictions that are non-adequate according to EU data protection standards. Shortly after the CJEU decision, the DPC opened a second ‘own volition’ investigation into Facebook’s data transfer practices utilising the SCCs, and in August 2020 published a preliminary draft decision which found that Facebook’s data transfer to the US infringed the General Data Protection Regulation (“GDPR”). Not surprisingly, Facebook disagreed with the preliminary decision and filed for a judicial review against the DPC, and claimed the decision to be premature. Facebook also argued that its right to fair procedure had been infringed as the DPC issued the preliminary draft decision before the European Data Protection Board (“EDPB”) could release its guidance on the Schrems II decision. On this point, the Irish High Court proclaimed that the DPC does not have any statutory duty to wait for the EDPB’s guidance and that the DPC was entitled to follow its own procedure for the investigation.
BlockSuits Comments
Earlier in 2020, the DPC had provided 21 days, from the resumption of the inquiry, to Facebook to respond to the preliminary decision which found that Facebook infringed the GDPR. To this, Facebook argued that 21 days were not sufficient for a response, and it would further violate its right to fair procedure. However, after the Irish High Court decision, the original 21-day timeline has now been established again, and Facebook will be required to respond within it. If the DPC decides that Facebook’s data transfer will have to be ceased, then Facebook will be required to store all data locally in order to conform to the provisions of the GDPR. Such a decision may most likely also require the approval of the EDPB, following a vote by EU member states.
Authored by Shivani Agarwal, Founder and Samaksh Khanna, Co-founder.
Comments